USB flash drives, iPods and other portable storage devices are pervasive in the workplace and a real threat. They can introduce viruses or malicious code to the network and be used to store sensitive corporate information. While IT has responded with policies and audits, the best way to safeguard data taken outside of a managed environment is encryption.
If data is encrypted, it cannot be read by an unauthorized user in case of loss or theft. Most removable-media encryption products can be configured to restrict access to devices on an authorized list using the proper encryption software and the correct key. To any other computer the device appears to be unformatted and any data is inaccessible.
The first issue is to control the flow of data leaving the enterprise. A full audit of existing data flows should be conducted to ascertain who is using removable media or portable devices and for what purpose. Once that is ascertained, IT can craft a policy that defines who is permitted to transfer data to removable media and under what circumstances, and ensure the policy is properly implemented.
With that in place IT can turn to the encryption issue, which will involve evaluating the following:
Related Content
* How will the encryption solution for removable media affect hard disk encryption?
* Will there be compatibility issues with existing encryption software?
* At what level (file or folder) should removable media devices be encrypted?
* Does the solution provide platform-independent encryption?
* Can administrators override the user’s password to unlock the encrypted device if the password is compromised?
* Will the encryption tool include capabilities for completely removing data from devices?
Ascertain data protection capabilities
There are full-disk encryption solutions with strong user authentication that provide removable-media encryption capabilities as well as solutions that combine this with encryption functionality for applications, such as e-mail. Whichever tool you deploy, the product should encrypt using AES 256-bit encryption, with or without encryption password protection.
Ideally, the product should be configured so that the removable-media policy is applied to all users. It should automatically prevent any unauthorized attempt to use a storage device, optionally alert the IT administrator and save a full audit of the attempted connection. If data transfer will be permitted, the product should be configured to make an audit copy of the data transferred.
Other capabilities a removable-media encryption product should include are:
* Authorized device access. The product should have the ability to prevent access to all devices except those that have been explicitly approved by the administrator. This mechanism can limit the size of the device used or restrict usage to devices that have been obtained from a trusted supplier.
* Access to personal devices. Any device with storage capabilities, such as a camera, or iPod is automatically denied access to corporate endpoints.
* Authorized file copy. This capability permits the user to transfer data to a device provided he has obtained permission from the system administrator. The transfer is audited, and an audit copy of the data can be made.
Related Content
* Encryption keys. For the most reliable protection, your solution should encrypt removable devices using an encryption key. Typically, each user has his own personal key, and data written to a device cannot be accessed by another user. If the user needs to share a device you can create a group encryption key and password to protect the device so that it can then be read on any machine running your encryption software.
* Existing data options. If an unencrypted device already contains data, the user can opt to preserve it during device encryption. Removable-media encryption can also be configured to permit the user to save data unencrypted.
* Easy setup and implementation. The product should offer a comprehensive infrastructure that is easy to set up and can be implemented using existing active directory policies. The administrator or other users should not require weeks of consultancy or training before they can install or operate the software.
Your encryption software should allow the system administrator to set permissions for each individual or user group using profiles. Whenever an employee plugs a device into an enterprise
computer, the network must first authorize the device, check the content on the device and digitally tag the device before granting access. If the removable device contains legitimate files and a rogue executable, the solution should have the option to browse the media and block access to the unsafe files.
Some encryption products support a profile approach to creating user permissions that match those on the domain controller in a Windows operating system environment. Administrators can create a guest account that grants standard rights for all guests. The encryption software then enforces these policies whenever a user logs on to the virtual drive or is authenticated to use a removable media device.
Create an auditing process
Once authorized, any files transferred to the device should be fully auditable and stored centrally in a database. Audit logs should include what data was transferred, date, time, user name and a copy of the downloaded content. The audit logs can act as a further deterrent to employees from downloading sensitive information.
With the popularity of removable media devices it is essential you implement encryption and auditing capabilities to mitigate the risk of intentional or accidental disclosure of sensitive data. Enterprises should develop a detailed data-security policy prior to making a purchasing decision.
In addition, it is wise to have an independent third-party security company examine your information security policies and security plan for encryption protocols. The company should provide an objective opinion as to the feasibility of the security plan and offer insight on how to develop the appropriate security. This second opinion will confirm that the chosen security plan and policies are aligned with the company's needs.